How to: Create a Supporting Credential

It is possible to have a custom security scheme that requires more than one credential. For example, a service may demand from the client not just a user name and password, but also a credential that proves the client is over the age of 18. The second credential is a supporting credential. This topic explains how to implement such credentials in an Windows Communication Foundation (WCF) client.

A supporting credential results in a supporting token transmitted inside the message. The WS-SecurityPolicy specification defines four ways to attach a supporting token to the message, as described in the following table.

Purpose

Description

Signed

The supporting token is included in the security header and is signed by the message signature.

Endorsing

An endorsing token signs the message signature.

Signed and Endorsing

Signed, endorsing tokens sign the entire ds:Signature element produced from the message signature and are themselves signed by that message signature; that is, both tokens (the token used for the message signature and the signed endorsing token) sign each other.

Signed and Encrypting

Signed, encrypted supporting tokens are signed supporting tokens that are also encrypted when they appear in the wsse:SecurityHeader.

Scopes

Endpoint supporting tokens support all operations of an endpoint. That is, the credential that the supporting token represents can be used whenever any endpoint operations are invoked.

Operation supporting tokens support only a specific endpoint operation.

As indicated by the property names, supporting credentials can be either required or optional. That is, if the supporting credential is used if it is present, although it is not necessary, but the authentication will not fail if it is not present.